{"id": "CVE-2006-5878", "bulletinFamily": "NVD", "title": "CVE-2006-5878", "description": "Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors.", "published": "2006-11-14T14:07:00", "modified": "2017-07-19T21:34:03", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5878", "reporter": "NVD", "references": ["http://trac.edgewall.org/wiki/ChangeLog", "http://trac.edgewall.org/ticket/4049", "http://www.vupen.com/english/advisories/2006/4422", "https://exchange.xforce.ibmcloud.com/vulnerabilities/30146", "http://security.gentoo.org/glsa/glsa-200612-14.xml", "http://www.debian.org/security/2006/dsa-1209"], "cvelist": ["CVE-2006-5878"], "type": "cve", "lastseen": "2017-07-20T10:49:38", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:edgewall_software:trac:0.8.1", "cpe:/a:edgewall_software:trac:0.50.9", "cpe:/a:edgewall_software:trac:0.5.1", "cpe:/a:edgewall_software:trac:0.8.4", "cpe:/a:edgewall_software:trac:0.7.1", "cpe:/a:edgewall_software:trac:0.6.1", "cpe:/a:edgewall_software:trac:0.9.3", "cpe:/a:edgewall_software:trac:0.9.2", "cpe:/a:edgewall_software:trac:0.9.6", "cpe:/a:edgewall_software:trac:0.8.3", "cpe:/a:edgewall_software:trac:0.10", "cpe:/a:edgewall_software:trac:0.9.5", "cpe:/a:edgewall_software:trac:0.9.4", "cpe:/a:edgewall_software:trac:0.9", "cpe:/a:edgewall_software:trac:0.8.2", "cpe:/a:edgewall_software:trac:0.9.1", "cpe:/a:edgewall_software:trac:0.5.2", "cpe:/a:edgewall_software:trac:0.9b1", "cpe:/a:edgewall_software:trac:0.7", "cpe:/a:edgewall_software:trac:0.8", "cpe:/a:edgewall_software:trac:0.5", "cpe:/a:edgewall_software:trac:0.9b2", "cpe:/a:edgewall_software:trac:0.6"], "cvelist": ["CVE-2006-5878"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors.", "edition": 1, "enchantments": {}, "hash": "274f9d64087b45c4529762ae011f8cab42bd6317b522920098246b4c805c9d29", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "e354b4853709e1464aedaff42c1e6bea", "key": "modified"}, {"hash": "1e77ad7a494ea4c8812c9c0e47c58e5f", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "344aeefc96467cc5054e49323299171d", "key": "title"}, {"hash": "824ff1d4689ae4c419c50b836f445aa6", "key": "cpe"}, {"hash": "698cbf86f9160ffe208ebb8f57a41cd4", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "c8ed522a4f67d6d8dc7ad798fb1abed5", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "af8c5667b1f792bd76d3e72483df17e7", "key": "published"}, {"hash": "11583cc4e724a0fad3e1c80d15616ba1", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5878", "id": "CVE-2006-5878", "lastseen": "2016-09-03T07:51:11", "modified": "2011-03-07T21:43:58", "objectVersion": "1.2", "published": "2006-11-14T14:07:00", "references": ["http://trac.edgewall.org/wiki/ChangeLog", "http://trac.edgewall.org/ticket/4049", "http://www.vupen.com/english/advisories/2006/4422", "http://security.gentoo.org/glsa/glsa-200612-14.xml", "http://www.debian.org/security/2006/dsa-1209", "http://xforce.iss.net/xforce/xfdb/30146"], "reporter": "NVD", "scanner": [], "title": "CVE-2006-5878", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T07:51:11"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "824ff1d4689ae4c419c50b836f445aa6"}, {"key": "cvelist", "hash": "698cbf86f9160ffe208ebb8f57a41cd4"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "1e77ad7a494ea4c8812c9c0e47c58e5f"}, {"key": "href", "hash": "11583cc4e724a0fad3e1c80d15616ba1"}, {"key": "modified", "hash": "5691565698a948b5190b16876b6e18f5"}, {"key": "published", "hash": "af8c5667b1f792bd76d3e72483df17e7"}, {"key": "references", "hash": "d4f3316af1a95fbd063cbf98855e7004"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "344aeefc96467cc5054e49323299171d"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "740ecf75943219c6a0becf4c4cff931eb6d3020a7d5cdbb2c25373235c3ebe8a", "viewCount": 0, "enchantments": {"vulnersScore": 6.8}, "objectVersion": "1.3", "cpe": ["cpe:/a:edgewall_software:trac:0.8.1", "cpe:/a:edgewall_software:trac:0.50.9", "cpe:/a:edgewall_software:trac:0.5.1", "cpe:/a:edgewall_software:trac:0.8.4", "cpe:/a:edgewall_software:trac:0.7.1", "cpe:/a:edgewall_software:trac:0.6.1", "cpe:/a:edgewall_software:trac:0.9.3", "cpe:/a:edgewall_software:trac:0.9.2", "cpe:/a:edgewall_software:trac:0.9.6", "cpe:/a:edgewall_software:trac:0.8.3", "cpe:/a:edgewall_software:trac:0.10", "cpe:/a:edgewall_software:trac:0.9.5", "cpe:/a:edgewall_software:trac:0.9.4", "cpe:/a:edgewall_software:trac:0.9", "cpe:/a:edgewall_software:trac:0.8.2", "cpe:/a:edgewall_software:trac:0.9.1", "cpe:/a:edgewall_software:trac:0.5.2", "cpe:/a:edgewall_software:trac:0.9b1", "cpe:/a:edgewall_software:trac:0.7", "cpe:/a:edgewall_software:trac:0.8", "cpe:/a:edgewall_software:trac:0.5", "cpe:/a:edgewall_software:trac:0.9b2", "cpe:/a:edgewall_software:trac:0.6"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}

{"result": {"openvas": [{"id": "OPENVAS:57582", "type": "openvas", "title": "Debian Security Advisory DSA 1209-2 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-2.\n\nThe Trac update in DSA 1209 introduced a regression. This update corrects\nthis flaw. For completeness, the original advisory text below:\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57582", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-02T21:10:22"}, {"id": "OPENVAS:57953", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200612-14 (trac)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200612-14.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57953", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-02T21:10:25"}, {"id": "OPENVAS:57580", "type": "openvas", "title": "Debian Security Advisory DSA 1209-1 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-1.\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57580", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-02T21:10:26"}], "nessus": [{"id": "GENTOO_GLSA-200612-14.NASL", "type": "nessus", "title": "GLSA-200612-14 : Trac: Cross-site request forgery", "description": "The remote host is affected by the vulnerability described in GLSA-200612-14 (Trac: Cross-site request forgery)\n\n Trac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests.\n Impact :\n\n An attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user.\n Workaround :\n\n There is no known workaround at this time.", "published": "2006-12-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23866", "cvelist": ["CVE-2006-5878"], "lastseen": "2016-09-26T17:26:06"}], "osvdb": [{"id": "OSVDB:30129", "type": "osvdb", "title": "Trac Unspecified CSRF", "description": "## Solution Description\nUpgrade to version 0.10.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://trac.edgewall.org/ticket/4049\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1209)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200612-14.xml)\n[Secunia Advisory ID:22868](https://secuniaresearch.flexerasoftware.com/advisories/22868/)\n[Secunia Advisory ID:22789](https://secuniaresearch.flexerasoftware.com/advisories/22789/)\n[Secunia Advisory ID:23357](https://secuniaresearch.flexerasoftware.com/advisories/23357/)\n[CVE-2006-5848](https://vulners.com/cve/CVE-2006-5848)\n[CVE-2006-5878](https://vulners.com/cve/CVE-2006-5878)\n", "published": "2006-11-01T10:48:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:30129", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2017-04-28T13:20:26"}], "gentoo": [{"id": "GLSA-200612-14", "type": "gentoo", "title": "Trac: Cross-site request forgery", "description": "### Background\n\nTrac is a wiki and issue tracking system for software development projects. \n\n### Description\n\nTrac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests. \n\n### Impact\n\nAn attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Trac users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/trac-0.10.1\"", "published": "2006-12-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200612-14", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2016-09-06T19:47:01"}]}}